Feedback on 0.3: Re "legal basis" - this may be confusing due to other meaning under GDPR. Perhaps "Regime"? ALSO, is it right to encode this in each request given the ultimate answer may be hard to know conclusively at the start? EG when requests exist under more than one legal regime? Is this better characterized as an educated guess by AA (eg make it explicitly non-binding and optional to parse)? One AA captures country or region but does not characterize applicable legal regime, however providing this as a hint if it's non-binding could be beneficial - main thing is including subject's physical residential address and country of origin. ESPECIALLY useful to have verified claim from AA of address as per section 3.0.4 of V.0.3. Also, region may be best proxy. At testing phase ask if this is a helpful info value. (see: https://openid.net/specs/openid-connect-core-1_0.html#Claims)
Awesome! Couple thoughts on enumerating regimes by their acronyms:
There's no unique constraint on privacy laws' acronyms. A lot are already getting close to overlapping: CDPA (Virginia's "Consumer Data Privacy Act"), CPA ("Colorado Privacy Act"), CCPA ("California Consumer Privacy Act"), CPRA ("California Privacy Rights Act"). Canada has a "Privacy Act" which could cause issue with Colorado, for example.
They can change: CCPA is deprecating in favor of CPRA on Jan 1, 2023
This isn't a huge deal right now so happy to punt on this for the time being.